Disclosure Records of Recognized Certification Authorities
Disclosure Record for the Postmaster General
(This is page 30 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)
Assessment Report and Statutory Declaration in respect of the Issuance of g-Cert (Individual) and g-Cert (Functional Unit)
Postmaster General (hereinafter referred to as Hongkong Post CA (HKPCA)) planned to issue recognized digital certificates, namely g-Cert (Individual) and g-Cert (Functional Unit), for the Centrally Managed Messaging Platform (CMMP) of the Office of the Government Chief Information Officer (OGCIO). The issuance of the recognized digital certificates will, among others, involve the following major changes:
- a new system interface between HKPCA and CMMP to process electronic submission of certificate requests and related certification services of g-Cert;
- changes in network systems and configurations of related network equipment and updates to the network system of HKPCA's disaster recovery environment;
- new operational procedures for handling application of e-Cert, electronic submission of certificate signing requests and transfer of g-Cert between HKPCA and CMMP; and
- new agreement covering the roles, responsibilities and obligations of the parties involved in the issue of g-Cert.
The GCIO considered that the changes involved in the issuance of recognized digital certificates are major changes. In this light, the GCIO had, by notice given to the HKPCA, required the HKPCA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, the HKPCA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the HKPCA in relation to the issuance of recognized digital certificates for the CMMP.
In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the HKPCA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the HKPCA. Only those parts of the report and statutory declaration containing material information are herewith published.
Assessment Report
A. Date of the Report
- The date of the report is 19 June 2019.
B. Material Information
- In the assessor's opinion, in all material respects:
- the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP (see Note 1) set out in Part 3A of Appendix 3 to PN-870 (see Note 2) as a result of the major changes for the issuance of recognized digital certificates for CMMP (see Note 3) as of the report issuance date, are reasonable. In particular, HKPCA is capable of:
- disclosing its business practices in its CPS (see Note 4) in accordance with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions and providing its services in accordance with its disclosed business practices; and
- reasonably complying with the relevant requirements in respect of the use of a trustworthy system and repositories implemented through such trustworthy system, where they are affected by the major changes for the issuance of recognized digital certificates for CMMP.
- no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP set out in Part 3B of Appendix 3 to PN-870 as a result of the major changes for the issuance of recognized digital certificates for CMMP, as of the report issuance date, are not reasonable;
- HKPCA has reasonably complied with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions for the major changes for the issuance of recognized digital certificates for CMMP.
- According to HKPCA, the implementation of the issuance of recognized digital certificates for CMMP is largely based on its existing technology and resources. It is considered that there are no material changes in the financial status of the RCA for operating as such in accordance with the ETO and COP; and
- According to HKPCA, HKPCA with Certizen as its Agent has taken steps to put in place insurance arrangement to ensure that it is capable of covering the potential liabilities arising from or related to issuance and use of HKPCA’s certificates due to the major changes.
- the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP (see Note 1) set out in Part 3A of Appendix 3 to PN-870 (see Note 2) as a result of the major changes for the issuance of recognized digital certificates for CMMP (see Note 3) as of the report issuance date, are reasonable. In particular, HKPCA is capable of:
- Given the fact that certain procedures and controls designed to ensure compliance with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions would be implemented either between the completion date of the assessment work and the scheduled CMMP system launch date, or after the system launch date, the assessor was unable to ascertain if such procedures and controls would be effectively implemented or executed. Despite the above, the assessor understands that HKPCA and its Agent have put in place an implementation plan for these procedures and controls. Assessor’s remarks and HKPCA’s responses are provided below:
|
|
Remarks made by the assessor | Response of HKPCA |
|---|---|---|
|
i. |
A Security Risk Assessment (“SRA”) has been arranged by OGCIO for the implementation of CMMP and conducted by another third party security consultant, and the SRA work conducted have not been subjected to the assessor’s review procedures. |
The scope of SRA arranged by OGCIO is for CMMP System only. Such assessment is not related to HKPCA operations. |
|
ii. |
According to HKPCA, the requirement to extend the existing insurance arrangement to cover the issuance of g-Cert has been communicated to the HKPCA’s agent’s designated insurer which will become effective on the launch date of CMMP. |
The existing insurance policy has been extended to cover the issuance of recognized digital certificates for CMMP with effect from 28 June 2019. |
|
iii. |
According to OGCIO, certain testing and assessments such as security penetration testing, production DR drill, and Security Risk Assessment and Audit (“SRAA”) will be conducted during the post-implementation stage. Therefore, the results of such arrangement, testing and assessments have not been subjected to the assessor’s review procedures. |
The concerned testing and assessments to be conducted are for CMMP System only. Such testing and assessments are not related to HKPCA operations. |
|
iv. |
Any other tasks to be carried out after the completion date of our assessment. |
Noted. Regarding the changes involved in the issuance of recognized digital certificates for CMMP, there is no outstanding task to be carried out in HKCPA after the completion date of the assessor's assessment. |
Statutory Declaration
A. Date of the Declaration
- The date of the declaration is 20 June 2019.
B. Material Information
- Having regard to the issuance of g-Cert (Individual) and g-Cert (Functional Unit), a responsible officer of Hongkong Post CA declares that Hongkong Post CA as an RCA is capable of complying with the provisions of the Electronic Transactions Ordinance (Cap. 553) and the provisions of the COP which have been set out under paragraph 2 of Appendix of Annex I of the memorandum from Government Chief Information Officer (“GCIO”) dated 6 March 2019 (see Note 5).
Notes
- Code of Practice for Recognized Certification Authorities (COP) issued by the GCIO under section 33 of the ETO.
- Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
- Paragraph 1 of Appendix of Annex I of the notice is reproduced below for reference:
- 1 For the purpose of section 43A(1)(c)(i) of the ETO
- 1.1 The following provisions of the ETO shall come within the scope of the assessment.
- Part X - General Provisions as to Recognized CAs:
Sections 36, 37, 39, 40, 44 and 45(1). - Part XI - Provisions as to Secrecy, Disclosure and Offences:
Sections 46, 47 and 48.
- Part X - General Provisions as to Recognized CAs:
- 1.2 The following provisions of the COP shall come within the scope of the assessment.
- General Responsibilities of a Recognized CA:
Paragraphs 3.1 to 3.6 inclusive and 3.8. - Certification Practice Statement:
Paragraphs 4.1 to 4.13 inclusive. - Trustworthy System:
Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive. - Certificates and Recognized Certificates:
Paragraphs 6.1 to 6.23 inclusive. - Verification of subscriber’s identity:
Paragraphs 7.1 to 7.2 inclusive. - Reliance Limit and Liability Cover
Paragraphs 8.1 to 8.4 inclusive. - Repositories:
Paragraphs 9.1 to 9.5 inclusive. - Disclosure of Information:
Paragraphs 10.1 to 10.6 inclusive. - Inter-operability:
Paragraphs 15.1 and 15.2. - All paragraphs in Appendix 1 of the Code of Practice.
- General Responsibilities of a Recognized CA:
- Certification practice statements.
- Paragraph 2 of Appendix of Annex I of the notice is reproduced below for reference:
- 2. For the purpose of section 43A(1)(d)(i) of the ETO
- 2.1 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s plan to issue g-Cert for the CMMP, PMG is capable of complying with the following provisions of the COP.
- General Responsibilities of a Recognized CA:
Paragraphs 3.7 and 3.9. - Trustworthy System:
Paragraph 5.18. - Disclosure of Information:
Paragraphs 10.7 to 10.9 inclusive. - Consumer Protection:
Paragraph 16.1.
- General Responsibilities of a Recognized CA:
